Hi, as discussed in private mail, here is the NMU.
Kind regards T.
diff -u moin-1.5.8/debian/changelog moin-1.5.8/debian/changelog --- moin-1.5.8/debian/changelog +++ moin-1.5.8/debian/changelog @@ -1,3 +1,15 @@ +moin (1.5.8-5.1) unstable; urgency=high + + * NMU with maintainer consent, urgency for security updates + * update upstream patches to moin-1.5 branch revision 856 to fix bugs + + cross-site scripting vulnerabilities using AttachFile, + CVE-2008-0781 + + directory traversal in MOIN_ID cookie vulnerability, + CVE-2008-0782 (Closes: #462984) + + XSS problem in login, CVE-2008-780 + + -- Thomas Viehmann <[EMAIL PROTECTED]> Tue, 19 Feb 2008 22:38:10 +0100 + moin (1.5.8-5) unstable; urgency=high * Acknowledge NMU. only in patch2: unchanged: --- moin-1.5.8.orig/debian/patches/00855_userid_cookie_directory_traversal.patch +++ moin-1.5.8/debian/patches/00855_userid_cookie_directory_traversal.patch @@ -0,0 +1,76 @@ +# HG changeset patch +# User Thomas Waldmann <tw AT waldmann-edv DOT de> +# Date 1200868068 -3600 +# Node ID e69a16b6e63020ac615e74b3184d6e89597352e0 +# Parent 2f952fa361c7bc6ed127ec0618038272385186cd +Security fix: only accept valid user IDs from the cookie + +diff -r 2f952fa361c7 -r e69a16b6e630 MoinMoin/user.py +--- a/MoinMoin/user.py Sun Jan 20 17:36:42 2008 +0100 ++++ b/MoinMoin/user.py Sun Jan 20 23:27:48 2008 +0100 +@@ -6,7 +6,7 @@ + @license: GNU GPL, see COPYING for details. + """ + +-import os, time, sha, codecs ++import os, time, sha, codecs, re + + try: + import cPickle as pickle +@@ -19,6 +19,7 @@ from MoinMoin import config, caching, wi + from MoinMoin import config, caching, wikiutil + from MoinMoin.util import filesys, timefuncs + ++USERID_re = re.compile(r'^\d+\.\d+(\.\d+)?$') + + def getUserList(request): + """ Get a list of all (numerical) user IDs. +@@ -27,10 +28,9 @@ def getUserList(request): + @rtype: list + @return: all user IDs + """ +- import re, dircache +- user_re = re.compile(r'^\d+\.\d+(\.\d+)?$') ++ import dircache + files = dircache.listdir(request.cfg.user_dir) +- userlist = [f for f in files if user_re.match(f)] ++ userlist = [f for f in files if USERID_re.match(f)] + return userlist + + +@@ -210,7 +210,7 @@ class User: + self._cfg = request.cfg + self.valid = 0 + self.trusted = 0 +- self.id = id ++ self.id = self.id_sanitycheck(id) + self.auth_username = auth_username + self.auth_method = kw.get('auth_method', 'internal') + self.auth_attribs = kw.get('auth_attribs', ()) +@@ -298,6 +298,15 @@ class User: + # use it reliably in edit locking + from random import randint + return "%s.%d" % (str(time.time()), randint(0,65535)) ++ ++ def id_sanitycheck(self, id): ++ """ only return valid user IDs, avoid someone faking his cookie to ++ contain '../../../somefile', breaking out of the data/user/ directory! ++ """ ++ if id and USERID_re.match(id): ++ return id ++ else: ++ return None + + def create_or_update(self, changed=False): + """ Create or update a user profile +diff -r 2f952fa361c7 -r e69a16b6e630 docs/CHANGES +--- a/docs/CHANGES Sun Jan 20 17:36:42 2008 +0100 ++++ b/docs/CHANGES Sun Jan 20 23:27:48 2008 +0100 +@@ -44,6 +44,7 @@ Version 1.5.current: + * Fixed Despam action (same editor grouping was broken), now looking for + spam edits in the last 30 days. + * Fixed XSS issue in login action. ++ * Security fix: only accept valid user IDs from the cookie. + + Version 1.5.8: + New features: only in patch2: unchanged: --- moin-1.5.8.orig/debian/patches/00854_login_XSS.patch +++ moin-1.5.8/debian/patches/00854_login_XSS.patch @@ -0,0 +1,36 @@ +# HG changeset patch +# User Thomas Waldmann <tw AT waldmann-edv DOT de> +# Date 1200847002 -3600 +# Node ID 2f952fa361c7bc6ed127ec0618038272385186cd +# Parent dbe95b27954adcb135e392ff1f9c883d0cfb7dc6 +XSS fix for login action, thanks to Fernando Quintero for reporting this + +diff -r dbe95b27954a -r 2f952fa361c7 MoinMoin/action/login.py +--- a/MoinMoin/action/login.py Fri Jan 18 21:40:23 2008 +0100 ++++ b/MoinMoin/action/login.py Sun Jan 20 17:36:42 2008 +0100 +@@ -40,12 +40,12 @@ class LoginHandler: + if not user.isValidName(request, name): + error = _("""Invalid user name {{{'%s'}}}. + Name may contain any Unicode alpha numeric character, with optional one +-space between words. Group page name is not allowed.""") % name ++space between words. Group page name is not allowed.""") % wikiutil.escape(name) + + # Check that user exists + elif not user.getUserId(request, name): + error = _('Unknown user name: {{{"%s"}}}. Please enter' +- ' user name and password.') % name ++ ' user name and password.') % wikiutil.escape(name) + + # Require password + else: +diff -r dbe95b27954a -r 2f952fa361c7 docs/CHANGES +--- a/docs/CHANGES Fri Jan 18 21:40:23 2008 +0100 ++++ b/docs/CHANGES Sun Jan 20 17:36:42 2008 +0100 +@@ -43,6 +43,7 @@ Version 1.5.current: + * added missing data/plugin/converter package + * Fixed Despam action (same editor grouping was broken), now looking for + spam edits in the last 30 days. ++ * Fixed XSS issue in login action. + + Version 1.5.8: + New features: only in patch2: unchanged: --- moin-1.5.8.orig/debian/patches/00852_add_missing_converter.patch +++ moin-1.5.8/debian/patches/00852_add_missing_converter.patch @@ -0,0 +1,27 @@ +# HG changeset patch +# User Thomas Waldmann <tw AT waldmann-edv DOT de> +# Date 1193382918 -7200 +# Node ID ca98a59c590262c1a7cad51be6af1dfa40e605fe +# Parent cb0593b6fc0599e4bb5b206d46f0ee8d12232bcf +added missing data/plugin/converter package + +diff -r cb0593b6fc05 -r ca98a59c5902 docs/CHANGES +--- a/docs/CHANGES Wed Sep 26 06:51:37 2007 +0200 ++++ b/docs/CHANGES Fri Oct 26 09:15:18 2007 +0200 +@@ -40,6 +40,7 @@ Version 1.5.current: + * Avoid 'current' file corruption in out-of-space conditions. + * Fix "Toggle line numbers" link in code areas, so it gets translated + for the current user's language. ++ * added missing data/plugin/converter package + + Version 1.5.8: + New features: +diff -r cb0593b6fc05 -r ca98a59c5902 wiki/data/plugin/converter/__init__.py +--- /dev/null Thu Jan 01 00:00:00 1970 +0000 ++++ b/wiki/data/plugin/converter/__init__.py Fri Oct 26 09:15:18 2007 +0200 +@@ -0,0 +1,5 @@ ++# -*- coding: iso-8859-1 -*- ++ ++from MoinMoin.util import pysupport ++ ++modules = pysupport.getPackageModules(__file__) only in patch2: unchanged: --- moin-1.5.8.orig/debian/patches/00853_despam_editor_grouping.patch +++ moin-1.5.8/debian/patches/00853_despam_editor_grouping.patch @@ -0,0 +1,131 @@ +# HG changeset patch +# User Thomas Waldmann <tw AT waldmann-edv DOT de> +# Date 1200688823 -3600 +# Node ID dbe95b27954adcb135e392ff1f9c883d0cfb7dc6 +# Parent ca98a59c590262c1a7cad51be6af1dfa40e605fe +fixed Despam action: editor grouping was broken, increase time interval to 30d + +diff -r ca98a59c5902 -r dbe95b27954a MoinMoin/action/Despam.py +--- a/MoinMoin/action/Despam.py Fri Oct 26 09:15:18 2007 +0200 ++++ b/MoinMoin/action/Despam.py Fri Jan 18 21:40:23 2008 +0100 +@@ -8,6 +8,8 @@ + @license: GNU GPL, see COPYING for details. + """ + ++DAYS = 30 # we look for spam edits in the last x days ++ + import time + + from MoinMoin.logfile import editlog +@@ -16,6 +18,20 @@ from MoinMoin import wikiutil, Page, Pag + from MoinMoin import wikiutil, Page, PageEditor + from MoinMoin.macro import RecentChanges + from MoinMoin.formatter.text_html import Formatter ++ ++def render(editor_tuple): ++ etype, evalue = editor_tuple ++ if etype == 'ip': ++ ret = evalue ++ elif etype == 'interwiki': ++ ewiki, euser = evalue ++ if ewiki == 'Self': ++ ret = euser ++ else: ++ ret = '%s:%s' % evalue ++ else: ++ ret = repr(editor_tuple) ++ return ret + + def show_editors(request, pagename, timestamp): + _ = request.getText +@@ -31,13 +47,14 @@ def show_editors(request, pagename, time + if not request.user.may.read(line.pagename): + continue + +- editor = line.getEditor(request) ++ editor = line.getInterwikiEditorData(request) + if not line.pagename in pages: + pages[line.pagename] = 1 + editors[editor] = editors.get(editor, 0) + 1 + +- editors = [(nr, editor) for editor, nr in editors.iteritems()] ++ editors = [(nr, editor) for editor, nr in editors.items()] + editors.sort() ++ editors.reverse() + + pg = Page.Page(request, pagename) + +@@ -46,7 +63,7 @@ def show_editors(request, pagename, time + Column('pages', label=_("Pages"), align='right'), + Column('link', label='', align='left')] + for nr, editor in editors: +- dataset.addRow((editor, unicode(nr), pg.link_to(request, text=_("Select Author"), querystr="action=Despam&editor=%s" % wikiutil.url_quote_plus(editor)))) ++ dataset.addRow((render(editor), unicode(nr), pg.link_to(request, text=_("Select Author"), querystr="action=Despam&editor=%s" % wikiutil.url_quote_plus(repr(editor))))) + + table = DataBrowserWidget(request) + table.setData(dataset) +@@ -77,7 +94,7 @@ def show_pages(request, pagename, editor + + if not line.pagename in pages: + pages[line.pagename] = 1 +- if line.getEditor(request) == editor: ++ if repr(line.getInterwikiEditorData(request)) == editor: + line.time_tuple = request.user.getTime(wikiutil.version2timestamp(line.ed_time_usecs)) + request.write(RecentChanges.format_page_edits(macro, [line], timestamp)) + +@@ -104,10 +121,10 @@ def revert_page(request, pagename, edito + for line in log.reverse(): + if first: + first = False +- if line.getEditor(request) != editor: ++ if repr(line.getInterwikiEditorData(request)) != editor: + return + else: +- if line.getEditor(request) != editor: ++ if repr(line.getInterwikiEditorData(request)) != editor: + rev = line.rev + break + +@@ -144,17 +161,17 @@ def revert_pages(request, editor, timest + + if not line.pagename in pages: + pages[line.pagename] = 1 +- if line.getEditor(request) == editor: ++ if repr(line.getInterwikiEditorData(request)) == editor: + revertpages.append(line.pagename) + +- request.write("Debug: Pages to revert:<br>%s" % "<br>".join(revertpages)) ++ request.write("Pages to revert:<br>%s" % "<br>".join(revertpages)) + for pagename in revertpages: +- request.write("Debug: Begin reverting %s ...<br>" % pagename) ++ request.write("Begin reverting %s ...<br>" % pagename) + msg = revert_page(request, pagename, editor) + if msg: + request.write("<p>%s: %s</p>" % ( + Page.Page(request, pagename).link_to(request), msg)) +- request.write("Debug: Finished reverting %s.<br>" % pagename) ++ request.write("Finished reverting %s.<br>" % pagename) + + def execute(pagename, request): + _ = request.getText +@@ -166,7 +183,7 @@ def execute(pagename, request): + msg = _('You are not allowed to use this action.')) + + editor = request.form.get('editor', [None])[0] +- timestamp = time.time() - 24 * 3600 ++ timestamp = time.time() - DAYS * 24 * 3600 + # request.form.get('timestamp', [None])[0] + ok = request.form.get('ok', [0])[0] + +diff -r ca98a59c5902 -r dbe95b27954a docs/CHANGES +--- a/docs/CHANGES Fri Oct 26 09:15:18 2007 +0200 ++++ b/docs/CHANGES Fri Jan 18 21:40:23 2008 +0100 +@@ -41,6 +41,8 @@ Version 1.5.current: + * Fix "Toggle line numbers" link in code areas, so it gets translated + for the current user's language. + * added missing data/plugin/converter package ++ * Fixed Despam action (same editor grouping was broken), now looking for ++ spam edits in the last 30 days. + + Version 1.5.8: + New features: only in patch2: unchanged: --- moin-1.5.8.orig/debian/patches/00856_attach_file_XSS.patch +++ moin-1.5.8/debian/patches/00856_attach_file_XSS.patch @@ -0,0 +1,78 @@ +# HG changeset patch +# User Thomas Waldmann <tw AT waldmann-edv DOT de> +# Date 1201046099 -3600 +# Node ID db212dfc58eff3ff7d1c9860d5fe79933217dc6e +# Parent e69a16b6e63020ac615e74b3184d6e89597352e0 +fix XSS issues in AttachFile action + +diff -r e69a16b6e630 -r db212dfc58ef MoinMoin/action/AttachFile.py +--- a/MoinMoin/action/AttachFile.py Sun Jan 20 23:27:48 2008 +0100 ++++ b/MoinMoin/action/AttachFile.py Wed Jan 23 00:54:59 2008 +0100 +@@ -440,7 +440,7 @@ Otherwise, if "Rename to" is left blank, + 'action_name': action_name, + 'upload_label_file': _('File to upload'), + 'upload_label_rename': _('Rename to'), +- 'rename': request.form.get('rename', [''])[0], ++ 'rename': wikiutil.escape(request.form.get('rename', [''])[0], 1), + 'upload_label_overwrite': _('Overwrite existing attachment of same name'), + 'overwrite_checked': ('', 'checked')[request.form.get('overwrite', ['0'])[0] == '1'], + 'upload_button': _('Upload'), +@@ -543,6 +543,8 @@ def execute(pagename, request): + + + def upload_form(pagename, request, msg=''): ++ if msg: ++ msg = wikiutil.escape(msg) + _ = request.getText + + request.http_headers() +@@ -734,7 +736,7 @@ def send_moveform(pagename, request): + d = {'action': 'AttachFile', + 'do': 'attachment_move', + 'ticket': wikiutil.createTicket(request), +- 'pagename': pagename, ++ 'pagename': wikiutil.escape(pagename, 1), + 'attachment_name': filename, + 'move': _('Move'), + 'cancel': _('Cancel'), +@@ -821,13 +823,13 @@ def install_package(pagename, request): + + if package.isPackage(): + if package.installPackage(): +- msg=_("Attachment '%(filename)s' installed.") % {'filename': wikiutil.escape(target)} ++ msg=_("Attachment '%(filename)s' installed.") % {'filename': target} + else: +- msg=_("Installation of '%(filename)s' failed.") % {'filename': wikiutil.escape(target)} ++ msg=_("Installation of '%(filename)s' failed.") % {'filename': target} + if package.msg != "": + msg += "<br><pre>" + wikiutil.escape(package.msg) + "</pre>" + else: +- msg = _('The file %s is not a MoinMoin package file.' % wikiutil.escape(target)) ++ msg = _('The file %s is not a MoinMoin package file.' % target) + + upload_form(pagename, request, msg=msg) + +@@ -911,9 +913,9 @@ def unzip_file(pagename, request): + "files are too big, .zip files only, exist already or " + "reside in folders.") % {'filename': filename} + else: +- msg = _('The file %(target)s is not a .zip file.' % target) ++ msg = _('The file %(target)s is not a .zip file.' % {'target': filename}) + +- upload_form(pagename, request, msg=wikiutil.escape(msg)) ++ upload_form(pagename, request, msg=msg) + + def send_viewfile(pagename, request): + _ = request.getText +diff -r e69a16b6e630 -r db212dfc58ef docs/CHANGES +--- a/docs/CHANGES Sun Jan 20 23:27:48 2008 +0100 ++++ b/docs/CHANGES Wed Jan 23 00:54:59 2008 +0100 +@@ -43,7 +43,7 @@ Version 1.5.current: + * added missing data/plugin/converter package + * Fixed Despam action (same editor grouping was broken), now looking for + spam edits in the last 30 days. +- * Fixed XSS issue in login action. ++ * Fixed XSS issues in login and AttachFile action. + * Security fix: only accept valid user IDs from the cookie. + + Version 1.5.8: